| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87fv2bo7br.fsf_-_@x220.int.ebiederm.org>
Date: Fri, 18 Sep 2015 14:28:40 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: David Miller <davem@...emloft.net>
Cc: netfilter-devel@...r.kernel.org, <netdev@...r.kernel.org>,
Nicolas Dichtel <nicolas.dichtel@...nd.com>,
Pablo Neira Ayuso <pablo@...filter.org>
Subject: [PATCH next 0/15] netfilter: Stop guessing net (take 2)
This is the next installment of my work to pass struct net through the
output path so the code does not need to guess how to figure out which
network namespace it is in, and ultimately routes can have output
devices in another network namespace.
This round the changes focus on using nf_hook_state->net in the
netfilter functions, and not passing nf_hook_ops to the functions on the
netfilter chains.
Given the way per network namespace operations are implemented callers
can not rely on addresses or games with container_of. None of the
netfilter hooks do but we should remove the temptation. Plus removing
the extra parameter and the extra jump to get at values should reduce
the number of cache line misses.
At a practical matter this is the bulk of the work that other pieces of
code in the netfilter stack will depend on.
Since the last round I have fixed my test config to build act_connmark
and added the patch that modifies act_connmark to track which network
namespace it was it.
The changes are also available against net-next at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git master
My entire pending set of changes for those who want to look ahead is at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git for-testing
Eric
Eric W. Biederman (15):
ebtables: Simplify the arguments to ebt_do_table
inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table
inet netfilter: Prefer state->hook to ops->hooknum
nftables: kill nft_pktinfo.ops
x_tables: Pass struct net in xt_action_param
x_tables: Use par->net instead of computing from the passed net devices
nftables: Pass struct net in nft_pktinfo
nftables: Use pkt->net instead of computing net from the passed net_devices
net: Pass net to nf_dup_ipv4 and nf_dup_ipv6
act_connmark: Remember the struct net instead of guessing it.
nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
ipvs: Read hooknum from state rather than ops->hooknum
netfilter: Pass priv instead of nf_hook_ops to netfilter hooks
netfilter: Pass net into nf_xfrm_me_harder
netfilter: Use nf_ct_net instead of dev_net(out) in
nf_nat_masquerade_ipv6
include/linux/netfilter.h | 2 +-
include/linux/netfilter/x_tables.h | 3 +-
include/linux/netfilter_arp/arp_tables.h | 1 -
include/linux/netfilter_bridge/ebtables.h | 6 ++--
include/linux/netfilter_ipv4/ip_tables.h | 1 -
include/linux/netfilter_ipv6/ip6_tables.h | 1 -
include/net/netfilter/br_netfilter.h | 2 +-
include/net/netfilter/ipv4/nf_dup_ipv4.h | 2 +-
include/net/netfilter/ipv6/nf_dup_ipv6.h | 2 +-
include/net/netfilter/nf_conntrack.h | 3 +-
include/net/netfilter/nf_conntrack_core.h | 1 +
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
include/net/netfilter/nf_nat_core.h | 2 +-
include/net/netfilter/nf_nat_l3proto.h | 32 ++++++++++----------
include/net/netfilter/nf_tables.h | 14 ++++-----
include/net/netfilter/nf_tables_ipv4.h | 3 +-
include/net/netfilter/nf_tables_ipv6.h | 3 +-
include/net/tc_act/tc_connmark.h | 1 +
net/bridge/br_netfilter_hooks.c | 14 ++++-----
net/bridge/br_netfilter_ipv6.c | 2 +-
net/bridge/netfilter/ebt_log.c | 2 +-
net/bridge/netfilter/ebt_nflog.c | 2 +-
net/bridge/netfilter/ebtable_broute.c | 8 +++--
net/bridge/netfilter/ebtable_filter.c | 10 +++---
net/bridge/netfilter/ebtable_nat.c | 10 +++---
net/bridge/netfilter/ebtables.c | 14 +++++----
net/bridge/netfilter/nf_tables_bridge.c | 20 ++++++------
net/bridge/netfilter/nft_reject_bridge.c | 19 ++++++------
net/decnet/netfilter/dn_rtmsg.c | 2 +-
net/ipv4/netfilter/arp_tables.c | 3 +-
net/ipv4/netfilter/arptable_filter.c | 5 ++-
net/ipv4/netfilter/ip_tables.c | 3 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv4/netfilter/ipt_SYNPROXY.c | 4 +--
net/ipv4/netfilter/ipt_rpfilter.c | 5 ++-
net/ipv4/netfilter/iptable_filter.c | 7 ++---
net/ipv4/netfilter/iptable_mangle.c | 14 ++++-----
net/ipv4/netfilter/iptable_nat.c | 21 ++++++-------
net/ipv4/netfilter/iptable_raw.c | 7 ++---
net/ipv4/netfilter/iptable_security.c | 7 ++---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 12 ++++----
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 4 +--
net/ipv4/netfilter/nf_defrag_ipv4.c | 4 +--
net/ipv4/netfilter/nf_dup_ipv4.c | 23 +++-----------
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 42 +++++++++++++-------------
net/ipv4/netfilter/nf_tables_arp.c | 6 ++--
net/ipv4/netfilter/nf_tables_ipv4.c | 10 +++---
net/ipv4/netfilter/nft_chain_nat_ipv4.c | 22 +++++++-------
net/ipv4/netfilter/nft_chain_route_ipv4.c | 6 ++--
net/ipv4/netfilter/nft_dup_ipv4.c | 2 +-
net/ipv4/netfilter/nft_masq_ipv4.c | 2 +-
net/ipv4/netfilter/nft_redir_ipv4.c | 2 +-
net/ipv4/netfilter/nft_reject_ipv4.c | 5 ++-
net/ipv6/netfilter/ip6_tables.c | 3 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 4 +--
net/ipv6/netfilter/ip6t_rpfilter.c | 6 ++--
net/ipv6/netfilter/ip6table_filter.c | 5 ++-
net/ipv6/netfilter/ip6table_mangle.c | 14 ++++-----
net/ipv6/netfilter/ip6table_nat.c | 21 ++++++-------
net/ipv6/netfilter/ip6table_raw.c | 5 ++-
net/ipv6/netfilter/ip6table_security.c | 5 ++-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 12 ++++----
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 3 +-
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 6 ++--
net/ipv6/netfilter/nf_dup_ipv6.c | 23 +++-----------
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 42 +++++++++++++-------------
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 2 +-
net/ipv6/netfilter/nf_tables_ipv6.c | 10 +++---
net/ipv6/netfilter/nft_chain_nat_ipv6.c | 22 +++++++-------
net/ipv6/netfilter/nft_chain_route_ipv6.c | 6 ++--
net/ipv6/netfilter/nft_dup_ipv6.c | 2 +-
net/ipv6/netfilter/nft_redir_ipv6.c | 3 +-
net/ipv6/netfilter/nft_reject_ipv6.c | 7 ++---
net/netfilter/core.c | 2 +-
net/netfilter/ipset/ip_set_core.c | 9 ++----
net/netfilter/ipvs/ip_vs_core.c | 40 ++++++++++++------------
net/netfilter/nf_conntrack_core.c | 10 +++---
net/netfilter/nf_conntrack_proto_dccp.c | 2 +-
net/netfilter/nf_conntrack_proto_generic.c | 2 +-
net/netfilter/nf_conntrack_proto_gre.c | 3 +-
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 2 +-
net/netfilter/nf_conntrack_proto_udp.c | 1 +
net/netfilter/nf_conntrack_proto_udplite.c | 1 +
net/netfilter/nf_nat_core.c | 4 +--
net/netfilter/nf_tables_core.c | 10 +++---
net/netfilter/nf_tables_netdev.c | 20 ++++++------
net/netfilter/nft_log.c | 3 +-
net/netfilter/nft_meta.c | 4 +--
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_reject_inet.c | 19 ++++++------
net/netfilter/xt_LOG.c | 2 +-
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_TCPMSS.c | 2 +-
net/netfilter/xt_TEE.c | 4 +--
net/netfilter/xt_TPROXY.c | 24 +++++++--------
net/netfilter/xt_addrtype.c | 4 +--
net/netfilter/xt_connlimit.c | 4 +--
net/netfilter/xt_osf.c | 2 +-
net/netfilter/xt_recent.c | 2 +-
net/netfilter/xt_socket.c | 14 +++++----
net/openvswitch/conntrack.c | 2 +-
net/sched/act_connmark.c | 5 +--
net/sched/act_ipt.c | 1 +
net/sched/em_ipset.c | 1 +
security/selinux/hooks.c | 10 +++---
security/smack/smack_netfilter.c | 4 +--
108 files changed, 389 insertions(+), 435 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists